Event Recording

Convergence Across Identity, Authentication and Open Banking

Show description
Speakers
Juliana Cafik
Principal Program Manager
Microsoft
Juliana Cafik
Juliana began her 27 years in the technology industry from a very different trajectory, building solutions for ski resorts to move more people up mountains simply, quickly, affordably and without risk of repudiation. During her career she has architected many innovations such as: new protocols...
View profile
Heather Flanagan
Principal
Spherical Cow Consulting
Heather Flanagan
Heather Flanagan, Principal at Spherical Cow Consulting, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organizations on the Internet, including...
View profile
Daniel Goldscheider
Founder and ED
OpenWallet Foundation
Daniel Goldscheider
Daniel is Founder and ED of OpenWallet Foundation, a consortium of companies and non-profit organisations collaborating to drive global adoption of open, secure and interoperable digital wallet solutions as well as providing access to expertise and advice through our Government...
View profile
Mark Haine
Founder
OpenID Foundation
Mark Haine
Mark is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate risk in financial services. At the start of 2020 Mark founded Considrd.Consulting and (with his team) is providing strategic security consultancy to a range of clients. He...
View profile
Nick Mothershaw
Chief Identity Strategist
The Open Identity Exchange
Nick Mothershaw
Nick is Chief Identity Strategist at the Open Identity Exchange, a community for all those involved in the ID sector to connect and collaborate, developing the guidance needed for inter-operable, trusted identities. Through OIX’s definition of, and education on, Trust Frameworks we create...
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
The Human Impact of Identity – Women in Identity Code of Conduct
May 11, 2023

Women in Identity strongly believes there is a need for a global Identity Code of Conduct to address identity exclusion—being excluded from access to identification credentials — that subsequently leads to exclusion from financial services and products.

The Women in Identity team are half way through their research project with the current phase focused on the development of the code of conduct.

This panel will share early look at the guiding principles that will ensure all users of digital identity systems have a consistent and high-quality user experience.

Event Recording
Street Cred: Increasing Trust in Passwordless Authentication
May 10, 2023

Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply copy, break, or brute-force their way in. Why, then, have we spent decades with passwords as the primary factor for authentication? 

The industry needs to trust passwordless authentication (FIDO2). Adversaries and then criminals have circumvented our authentication controls for decades. From the very first theft of cleartext passwords to the very latest bypass of a second-factor, time and again improvements in defenses are met with improved attacks.

What holds us back from getting rid of passwords? Trust. In this session, we will propose a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor, and to reassess based on shared signals (CAEP). We will share a path forward for increasing trust in passwordless authentication.

Event Recording
The Killer Credential - Spotting Verifiable Credentials That are Absolute Must-Haves for Every Party in an Ecosystem
May 10, 2023
Event Recording
Architecting Identity-First Zero Trust Implementations
May 10, 2023

Zero Trust starts with Identity. It ends with authorization. And it is centered around policy-based controls for authentication, access, and more. IAM is ubiquitous in Zero Trust. Thus, every Zero Trust implementation must follow an identity-first approach.

In this session, we look at the intersection of IAM and Zero Trust, and provide a mapping of IAM capabilities to Zero Trust requirements. We also look at the need for modern IAM, from adaptive, passwordless authentication to continuous authentication, ITPR (Identity Threat Detection and Response), PBAM (Policy Based Access Management), but also Data Governance and the intersection of IAM and Code Security. This will help you in aligning your IAM and ZT strategies and give you a concrete understanding of technologies you will need (or not).

Event Recording
Wallets and Beyond: How Mobile Operators Will Enable Tomorrow’s Identity
May 11, 2023

The digital identity paradigm looks set to evolve. Citizens might rely on digital identity wallets within a few years. As the metaverse and Web 3.0 take shape, users will need more than ever to trust who they interact with and be protected against fraud. How are mobile operators approaching these evolutions? This session will bring GSMA perspective on the mobile industry’s contribution to securing digital services, as the identity landscape shifts. Helene Vigue will share how tomorrow’s digital identity may build on mobile operators’ assets and services.

Event Recording
SAP Transformation and IGA
May 10, 2023

Various large organizations typically have invested heavily in SAP as well as IGA. There comes a point where the two systems start overlapping functionalities. This session will provide a viewpoint on an integrated IGA approach based on organization needs.

Event Recording
Pros & Cons of Anonymity and ZKP - Do we Know Them?
May 12, 2023

Within the digital identity wallet-movement (and especially SSI), there is a lot of focus on proving something about yourself, without revealing anything else, also known as ZKP (Zero-Knowledge Proof). It is important to realize that if we build this into the future identity systems, we will also grant any criminal the right to full anonymity.
While there are some marginal use cases (buying beer and adult materials) where we might want this, using ZKP also excludes accountability, unless there is a way to reveal the identity behind the proof. This would then be pseudonymity, and the challenge here, is who is authorized to reveal this, and how to prevent mis-use.

Event Recording
Zero Trust with Zero Buzz
May 11, 2023

The objective of the talk is to:

  1. (10%) Clear out the noise around Zero Trust: why Zero Trust has became a buzzword
  2. (20%) Define Zero Trust
  3. (60%) Set the journey:
    • how can we implement Zero Trust?
    • where to start? how to do it?
    • what are the building blocks?
    • building blocks stages and maturity?
  4. (10%) How can Zero Trust protect us against today's threats.
Event Recording
Managing Your Enterprise Security Posture to Avoid Web3 and Smart Contract Breaches. Practices & Lessons for Enterprises with Case Studies
May 11, 2023

Web3 is a revolutionary changing aspect of technology in the current era but protecting Web3 will be a challenge considering how smart contracts are challenging. New businesses utilizing blockchain technology are more focused on business while their different assets need eyes, such as the most vulnerable DApps and Web3 services.

Decentralized applications, commonly referred to as dApps, are not controlled by a single point of authority. Instead, they run on a blockchain or a P2P network, making them more complex and riskier than traditional applications.

In this talk, we'll discuss how hackers are utilizing their techniques to attack web3 and smart contracts and what are best practices for enterprises to prepare for the challenge.

Event Recording
Graph-Based Access Control: What, Why and How ?
May 11, 2023

“Graph-Based Access Control'' (GBAC) is a generic term that refers to the use of graphs and networked data to solve Identity and Access Control problems. You may have seen this before through the disguise of acronyms such as ReBAC (relationship-based), KBAC (knowledge-based), PBAC (policy-based), NGAC (Next-Generation), FGA (fine-grained), and even some implementations of ABAC (attribute-based). All of these terms refer to techniques that use graphs to enforce access-control for any level of coarseness.

In this session you will learn why all the latest Dynamic Authorization offerings on the market use GBAC in a way or another, and how you can successfully adopt the technique yourself. Graphs are becoming ubiquitous - one can just look at the rise of the GraphQL API model to witness their popularity first-hand. Through concrete, real-life examples we will showcase the use of graphs to solve common access problems using the same modern and future-proof techniques that you see in the current authorization market.

As a result, storing all identity data in graphs truly unlocks its full potential. Graphs are data-science and analytics enablers, and have the potential to transform the IAM practice from a cost centre to a true revenue generator. We’ll explore how this can happen for you too…

Event Recording
A Sovereign Cloud for the German Government
May 11, 2023

You will learn about the Sovereign Cloud for the German Government, this solution is based on Azure and operated by Delos Cloud Gmbh

Event Recording
Fallacy of Decentralisation
May 10, 2023

Common Web3 narratives go like this: Web1 was decentralised. Web2 is centralised and dominated by GAFAM/BigTechs. Web3 will be decentralised.

Is this real?

Let us look back. Web1 was about publishing web pages that were linked to other pages. The publishing sites were decentralised all over and were connected by links. Schematics resembled spider webs. Thus, the name “web”. 

Web2 was the read-write web. In other words, API Economy. Was it a centralised architecture? Definitely not. What we imagined as Web 2.0 back in 2004 was that instead of monolithic systems, each site provides a function as REST API, and new services quickly emerge by combining these APIs like LEGO. APIs were decentralised and distributed all over the internet. API calling relationships connected those sites; the schematics resembled a spider web. Thus, the name Web 2.0.

Note, in 2004, none of Google, Amazon, Facebook/Meta, or Apple resembled what we have now.
Google just acquired Double Click, but it still had the banner word “Do not do evil.” The size of the company was 1/10 of Hitachi. Amazon still was an internet merchant. Facebook was just founded, but it still was primarily confined to Harvard and other American university students. Apple was an iPod and Mac company. Were they BigTechs? No! Big guys were IBM, Hitachi, etc., and Google, Facebook etc. were carrying the liberation torch!

Then, how come we end up here, despite the fact that the architecture was completely decentralised?

It was the combination of free market competition and technology that exhibited increasing returns. Any IT technology has decreasing cost/increasing return on investment. Under the circumstances, it will end up in Cournot equilibrium in a fashionable vocabulary - in a common word; winner takes all - monopoly/oligopoly. That’s how we ended up.

What about web3 and decentralised identity? Would the decentralisation dream finally come true?

Well, they still are IT. They still exhibit increasing return necessarily. Then, how can you believe that it will not be dominated by large players just like it happened to Web 2.0? If you let the free market play, it will certainly be. Unlike in the case of Web 2.0 where there still were 100s of thousands of IdPs, we may end up with two Wallets where the wallet provider can come in and decide to delete your verified credentials or ban your account. How decentralised!

Wait, there is more.

How can you believe that code that runs on your phone adheres to what it says?
The data stored on your wallet that runs on your phone may be extracting your data and sending it to criminals. We have seen many times that the initially benign code turns malicious with an update.

According to the Devil's Dictionary of Linguistic Dark Patterns compiled at IIW 2022b, “Decentralised” means “We run our code on your machine at your own risk”. Yes, at your own risk. If it is completely “decentralised” and there is no “provider”, then there is nobody to go after from the point of view of a regulator. Having a “centralised” provider is much better from a consumer protection point of view in this respect.

Is there no light? Are we going to live in the darkness of decentralisation?

Let us briefly think about what web3 was supposed to be. Forget about something that is found between A and Z. I am not talking about that. I am talking about cypher-punks' idealistic dreams.
Many people believe that blockchain is just an immutable ledger. No, it is not! That’s not the innovation of blockchain. Chained immutable records were there long before Satoshi’s invention. It is called Hysteresis signature and was invented in 1999.
Then, what was the innovation? it was the committing of the code into the it to make it immutable and executing it by multiple machines to exclude the result from changed code. In other words, it was the establishment of trust in the running code.
The light could be diminishingly small, but it still is light. That’s the light that I see in web3 that’s not between A and Z.